Kerio Control is a unified threat management firewall that features intrusion prevention, content filtering, activity reporting, bandwidth management, and virtual private networking. This guide provides general step-by-step instructions for deploying Kerio Control in a common scenario.
In this example:
Kerio Control load balances between two Internet links.
WAN 1 has five static IP addresses and hosts services for servers behind the firewall.
WAN 2 has a dynamic IP address and primarily handles web browsing and Internet access.
There are four separate networks behind the firewall (LAN, Phones, DMZ, Guest).
The DHCP server in Kerio Control automatically assigns IP configuration to all networks.
Users authenticate against a local domain controller.
Users authenticate via RADIUS for web access
Kerio Control forbids peer-to-peer networking.
Kerio Control maintains a VPN tunnel with a remote office.
Users connect remotely using VPN from computers and mobile devices.
Kerio Control reserves 1 Mbps for VoIP traffic.
Kerio Control restricts guest access to a maximum of 1 Mbps.
The company president receives a weekly report of all user activity.
Kerio Control automatically saves its configuration to MyKerio every day.
Kerio Control is available as a Software, Virtual, or Hardware appliance (Hardware editions are available in North America, Australia, and the EU). The product features and functionality are nearly identical across all versions.
Downloadable ISO file
Imaged onto installation media (e.g. USB drive, CD media)
Installed onto standard hardware
Available as a Virtual Hard Disk (VHD) for Microsoft Hyper-V
Available in Open Virtualization Format (OVF) for VMware ESX/ESXi
Available as pre-built VMware virtual guest (VMX)
3x Gb ports
1.3 GHz Dual Core Intel Bay Trail, 4 GB RAM, 32 GB SSD
4x Gb ports
2.4 GHz quad core Intel Atom, 4 GB RAM, 32 GB SSD
6x Gb ports
3.6 GHz quad core Intel Core i5, 4 GB RAM, 32 GB SSD
You can download the Kerio Control image from the Kerio website. For instructions on Kerio Control installation, see Installing Kerio Control. If you are installing the Virtual or Software Appliance editions, make sure your hardware meets the system requirements.
After installation, the software automatically checks for updates. The web administration notifies you when an update is ready. See Upgrading Kerio Control for details.
After installation, Kerio Control automatically detects your Internet and local interfaces. For successful detection of the network interfaces, connect Kerio Control to the appropriate networking equipment (e.g., modem, switch, access point and so on) prior to installation.
You can access the full administration from a web browser by inputting the IP address of the firewall. Note that your management computer must be in the same IP subnet as the firewall.
The Virtual and Software Appliance editions include a separate administration interface that the administrator can access directly from the operating system. This dialog box includes only essential features and is primarily useful when you are not able to access the web administration. Capabilities of this interface include:
Allow remote administration from untrusted networks
Perform a factory reset
Configure TCP/IP parameters
When the administrator first logs in to the web administration interface, the Activation Wizard opens. The wizard sets the basic system parameters:
Select the default language
Confirm Internet Connectivity
Set the local date and time
Activate the license
Assign a password for administration
Set alerts and notifications
Enable management from MyKerio
See Configuring the Activation Wizard and Managing Kerio Control appliances in MyKerio for details.
Network interfaces in Kerio Control provide routing between local networks and the Internet. You must configure networking parameters and define your Internet connectivity before any other types of firewall configuration. The administrator can manage network interfaces and Internet connectivity in Configuration → Interfaces. Capabilities include:
Organize interfaces into groups
Configure Internet link load balancing
Add VLAN interfaces
Create VPN tunnels
Assign TCP/IP parameters to network interfaces
Add interfaces for L2TP, PPPoE, or Dial-up connections
See Configuring network interfaces for details.
In the example scenario, Kerio Control load balances between two Internet links and routes to four local networks.
The administrator labels each network interface.
The administrator defines networking parameters to each network interface.
The administrator defines additional IP addresses to WAN 1 (set in Define additional IP addresses… in the interface properties).
The administrator moves the WAN 1 and WAN 2 interfaces into the Internet Interfaces group.
The administrator moves the DMZ interface into the Other Interfaces group.
The administrator moves the Guest interface into the Guest Interfaces group. See Configuring the guest network for details.
The administrator moves the LAN and Phones interfaces into the Trusted/Local Interfaces group.
The administrator selects Multiple Internet Links - Load Balancing as the Internet connectivity.
The administrator defines an equal link weight of 1 for each Internet interface.
Kerio Control can simplify managing the network by acting as a Dynamic Host Configuration Protocol (DHCP) server. DHCP automatically assigns networking parameters to connected devices. The administrator can manage the DHCP server in Configuration → DHCP Server. See Using the DHCP module for details.
In the example scenario, the DHCP server in Kerio Control automatically assigns IP configuration to all networks.
The administrator enables the Kerio Control DHCP server.
The administrator allows the firewall to generate scopes automatically.
Devices connect to the network and receive networking parameters automatically.
The administrator creates reservations for devices that need a permanent IP address.
Kerio Control can simplify user administration by authenticating users from Apple Open Directory or Microsoft Active Directory. The administrator can manage directory services in Configuration → Domains and User Login. See Connecting Kerio Control to directory services for details.
In the example scenario, users authenticate against a local domain controller.
The administrator joins Kerio Control to the local domain.
The administrator configures Kerio Connect to map users from the directory server.
Kerio Control enforces security through Intrusion Prevention, Traffic Rules, and Sophos Antivirus. These features configure automatically, and ensure that the firewall permits only legitimate network communication.
For additional security, the administrator can configure Traffic Rules and Content Rules. Content Rules define the types of permitted or denied web activities of users on the network. Examples include:
Transfer of specific file types
Social networking websites
Online shopping websites
See Configuring the Content Filter and Application awareness in Kerio Control for details.
In the example scenario, users authenticate via RADIUS for web access and Kerio Control forbids peer-to-peer networking.
The administrator enables Always require users to be authenticated…… and Enable WPA2 enterprise clients authentication in Domains and User Login → Authentication Options . See Using RADIUS server in Kerio Control for details.
In Content Filter, the administrator enables the default rule Peer-to-Peer traffic.
Traffic Rules define the types of permitted or denied network communication. By default the firewall creates a basic policy that permits all outgoing types of traffic. Examples of Traffic Rules include:
Allowing or denying a particular type of network service (e.g., SMTP).
Opening ports for incoming connections (Port mapping). See Configuring traffic rules for details.
Forcing specific outbound traffic through an interface. See Configuring policy routing for details.
In the example scenario, the firewall routes incoming traffic to servers located on the DMZ network. The administrator creates port mapping rules to allow incoming connections. See Configuring traffic rules - multihoming and Configuring Demilitarized Zone (DMZ) for details.
You can use Virtual Private Networking (VPN) to allow remote users or entire networks to access services inside the local network. Kerio Control implements IPsec for mobile device access and tunneling with third-party VPN gateways. You can also use the proprietary Kerio VPN implementation for remote access from desktop operating systems, and for tunneling to other Kerio Control firewalls. You can manage settings for VPN in the VPN server interface of the Interfaces dialog box.
See Configuring Kerio VPN tunnel, Configuring IPsec VPN , and Configuring SSL certificates in Kerio Control for details.
In the example scenario, Kerio Control maintains a VPN tunnel with a remote office, and users connect remotely using VPN from computers and mobile devices.
The administrator enables the default traffic rule called VPN Services.
The administrator modifies the user template to allow all users to connect using VPN.
The administrator installs a signed SSL certificate and assigns it to the VPN server.
The administrator creates a Kerio VPN tunnel to the branch office.
The administrator assigns a preshared key to the IPsec VPN server.
Users add IPsec / L2TP accounts on their mobile device.
Users install and configure the Kerio VPN client on their desktop or laptop computers.
Kerio Control includes several features to help you monitor network activity and optimize Internet availability.
Status → Active Hosts displays real-time activities of all hosts on the network. You can see which devices consume the most bandwidth, when the network is most active, and what types of activities are taking place. Refer to Monitoring active hosts for details.
Status → Traffic Charts displays throughput totals for a variety of items, including network interfaces, traffic rules, or bandwidth rules. This information helps you identify how data flows through your network.
Configuration → Interfaces → Internet Connectivity allows you to distribute network traffic between multiple Internet links. You can further adjust the routing of outgoing connections using Traffic Rules. See Configuring policy routing for details.
Configuration → Bandwidth Management and QoS allows you to prioritize traffic based on a variety conditions. See Configuring bandwidth management.
In the example scenario, Kerio Control reserves 1 Mbps for VoIP traffic and restricts guest access to a maximum of 1 Mbps.
The administrator defines the Internet bandwidth for each Internet link.
The administrator enabled default rule called SIP VoIP and sets the value to 1 Mbps.
The administrator adds a new rule to limit Guest Interfaces to 1 Mbps.
Kerio Control includes a reporting feature called Kerio Control Statistics. Kerio Control Statistics records the activities of authenticated users to a local database on the firewall. Privileged users can access statistics information on demand through a special web interface, or by email. See Configuring statistics and reports for details.
In the example scenario, the company president receives a weekly report of all user activity.
The administrator defines an email address for the president’s user account.
The administrator configures the firewall to gather Internet usage statistics.
The administrator configures regular email reports for the company president.
You can backup the Kerio Control configuration for restoring to another system in case of hardware failure or other types of disasters. You can backup the configuration manually from the Configuration Assistant, or automatically to MyKerio. In the example scenario, Kerio Control automatically saves its configuration to MyKerio every day. See Saving configuration to MyKerio for details.
Article Number: 1558
Posted: Sat, Feb 15, 2014 5:31 PM
Last Updated: Tue, Aug 23, 2016 4:30 PM
Posted: Vendula Ferschmannová
Online URL: http://kb.kerio.com/product/kerio-control/quick-start-with-kerio-control-1558.html